The tables below provide the following CEF-App Control mapping information:
- Mapping of App Control Event Data to CEF Header Fields shows the mapping of App Control data to CEF Header fields
- Mapping of App Control Event Data to CEF Extensions shows the mapping of App Control data to CEF Extension field data
- Mapping to Custom CEF Extensions shows App Control-specific custom extensions
| CEF Prefix Field | App Control Value | Description |
|---|---|---|
| Host | Hostname | Hostname of the App Control Server providing the Syslog output. |
| Version | 0 | CEF format version. By default this is 0. |
| Device Vendor | VMware Carbon Black | The company name of the syslog output provider. |
| Device Version | 8.7.0.xxx | The version of product generating syslog output. The current App Control version is 8.7.0 and xxx represents the build number appended to the version. |
| Device Product | App Control | The product name of the syslog output provider. |
| SignatureID | Event subtype ID | Unique number for the event subtype as classified by App Control. |
| Name | Event subtype name | Unique name for the event subtype as classified by App Control. |
| Severity | Event severity ID | Numeric value indicating the severity of the event. App Control event severity ranges from 7 (least severe) to 0 (most severe). These are mapped to CEF severity levels, which range from 0 (least severe) to 10 (most severe). The CEF severity is calculated by subtracting the App Control severity from 9. This means that the most severe App Control event has a CEF severity of 9. The least severe App Control event has a CEF severity of 2. |
| Extension | (varies) | Additional event information. See Mapping of App Control Event Data to CEF Extensions. |
| CEF Extension Name | App Control Event Field | Description |
|---|---|---|
| externalId | Event ID | Unique auto-incremented ID of each generated App Control event. |
| DeviceEventCategory | Event Type | App Control event type |
| startTime | Event Timestamp | Timestamp when the event was created on the endpoint (in UTC). |
| ReceiptTime | Event Received Timestamp | Timestamp when the event was received by the App Control Server (in UTC). |
| Message | Event Description | Full text message of the App Control event |
| deviceHostName | Server Hostname | App Control Server host name. Note that this could be an IP address if that is what was entered during server installation. |
| destinationAddress * | IP Address | IPv4 address of the machine generating the event (if available). |
| deviceCustomIPv6Address3 * | IP Address | Ipv6 address of the machine generating the event (if available). |
| destinationHostName * | Hostname | Host name of the machine generating the event. |
| destinationUserName * | Username | User name of the user generating the event. |
| Fileld * | Antibody ID | Unique (auto-incremented) ID of the file generating the event. |
| filePath * | File Path | Full pathname of the file generating the event. |
| * CEF Extensions with asterisks are context-dependent and not available on all events. | ||
| CEF Custom Extension & Label | App Control Event Field | Description |
|---|---|---|
| deviceCustomString1 * deviceCustomString1Label = “rootHash” |
Root Hash | Root hash of the file generating the event. |
| deviceCustomString2 * deviceCustomString2Label = “installerFilename” |
Installer Filename | Installer Filename of the file generating the event. |
| deviceCustomString3 * deviceCustomString3Label = “policy” |
Policy | App Control policy of the machine generating the event. |
| deviceCustomString 4* deviceCustomString4Label = “banName” |
Ban Name | For a block event, the name of the ban (if any) that blocked the file; some bans are unnamed |
| deviceCustomString 5* deviceCustomString5Label = “ruleName” |
Rule Name | The name of the rule associated with the event (if any) |
| deviceCustomString 6* deviceCustomString6Label = “updaterName” |
Updater Name | The name of the Updater associated with the event (if any) |
| deviceCustomFloatingPoint1 * deviceCustomFloatingPoint1Label = “fileTrust” |
File Trust | File trust from Carbon Black File Reputation of the file associated with the event. Pending means that Carbon Black File Reputation lookup was not yet performed but will be. (Conditional) -2 pending -1 unknown 0-10 Trust value |
| deviceCustomFlexString1 * deviceCustomFlexString1Label = “fileThreat” |
File Threat | File threat from Carbon Black File Reputation of the file associated with the event. Pending means that Carbon Black File Reputation lookup was not yet performed but will be. (Conditional)“pending” “unknown” “0 - No threat” “1 - Potential risk” “2 – Malicious” |
| deviceCustomFloatingPoint2 * deviceCustomFloatingPoint2Label = “processTrust” |
Process Trust | Parent process trust from Carbon Black File Reputation of the file associated with the event. Pending means that Carbon Black File Reputation lookup was not yet performed but will be. (Conditional) -2 pending -1 unknown 0-10 Trust value |
| deviceCustomFlexString2* deviceCustomFlexString2Label = “processThreat” |
Process Threat | Parent process threat from Carbon Black File Reputation of the file associated with the event. Pending implies that Carbon Black File Reputation lookup was not yet performed but will be. (Conditional) “pending” “unknown” “0 - No threat” “1 - Potential risk” “2 – Malicious” |
| * All CEF Custom Extensions are context-dependent and not available on all events. | ||
